Domain: dsbl.org
Stories and comments across the archive that link to dsbl.org.
Comments · 25
-
Re:Blacklist gmail
You might wanna check this:Why are you blacklisting Gmail?
-
0 spam
I literally get 0 spam in my inbox. The only spam I ever get is from businesses that I have a "relationship" for (ie., created an account on their site, said no thanks to junk, but got it anyway). Easy enough to block them since each site gets their own alias.jan-1-2007@mydomain.com that I can filter later on and never bother to "unsubscribe."
I use sendmail with greylisting as my frontline defense, then dul.dnsbl.sorbs.net, `sbl-xbl.spamhaus.org, list.dsbl.org, and lastly bl.spamcop.net. Thunderbird is great at picking up all the stupid "business relationship" junk based on the servers spamassassin's markings (but I don't have spamassassin dropping anything, just marking it up), but mostly just gets in the way of me permanently rejecting their mail (just a few a month ever come in).
I found many of the sendmail configuration lines from http://www.sdsc.edu/~jeff/spam/Sendmail.html if you'd like to give it a try.
4 days worth of spam filtering shows the following were blocked (this is just for my little list of personal domains, mind you):
# grep -c sorbs /var/log/maillog
16048
# grep -c spamhaus /var/log/maillog
13246
# grep -c dsbl.org /var/log/maillog
230
# grep -c spamcop.net /var/log/maillog
897
Combined spam blocked (each file is 7 days worth of spam count, except the top one which is only 4 days):
# grep -cF $'sorbs\nspamhaus\ndsbl.org\nspamcop.net' /var/log/maillog*
/var/log/maillog:30486
/var/log/maillog.1:43508
/var/log/maillog.2:41687
/var/log/maillog.3:36868
/var/log/maillog.4:35687 -
dnsbl's + other means for spam abatement to use
here's the bl's that i am using with sendmail that would go into your siteconfig.mc file -- that through trial and error -- i have found have zero false positive hit rate... n.b. that the XXX.r.mail-abuse.com (RBL) & XXX.q.mail-abuse.com (QIL) bl's require that you to have a subscription to Trend Micro Advanced Email Reputation Services at http://us.trendmicro.com/us/products/enterprise/n
e twork-reputation-services/index.html -- you can get a free trial at https://nssg.trendmicro.com/download/trial/trial-s ervices.php?id=66 --
make sure you select "Email Reputation Services, Advanced". you would then replace the "XXX" in the below with the activation code they would send you:
FEATURE(dnsbl, `XXX.r.mail-abuse.com.', `"550 Mail from " $&{client_addr} " BLOCKED/RBL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')
FEATURE(dnsbl, `zen.spamhaus.org.', `"550 Mail from " $&{client_addr} " BLOCKED/ZEN; see http://www.spamhaus.org/query/bl?ip=" $&{client_addr}')
FEATURE(dnsbl, `bhnc.njabl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/BHNC; see http://www.njabl.org/lookup?" $&{client_addr}')
FEATURE(dnsbl, `bl.spamcop.net.', `"550 Mail from " $&{client_addr} " BLOCKED/COP; see http://www.spamcop.net/w3m?action=checkblock&ip=" $&{client_addr}')
FEATURE(dnsbl, `list.dsbl.org.', `"550 Mail from " $&{client_addr} " BLOCKED/DSBL; see http://www.dsbl.org/listing?" $&{client_addr}')
FEATURE(rhsbl, `dsn.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/DSN; MX of domain dose not accept bounces in violation of RFC 821/2505/2821, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')
FEATURE(rhsbl, `bogusmx.rfc-ignorant.org.',`"550 Mail from domain " $`'&{RHS} " BLOCKED/BMX; MX of domain contains bogus address information in violation of RFC 1035/3330, see http://www.rfc-ignorant.org/tools/lookup.php?domai n=" $`'&{RHS}')
FEATURE(dnsbl, `XXX.q.mail-abuse.com.', `"450 Mail from " $&{client_addr} " BLOCKED/QIL; see http://www.mail-abuse.com/cgi-bin/lookup?ip_addres s=" $&{client_addr}')
FEATURE(dnsbl, `safe.dnsbl.sorbs.net.', `"450 Mail from " $&{client_addr} " BLOCKED/SAFE; see http://www.dnsbl.sorbs.net/lookup.shtml?" $&{client_addr}')
i also use the http://hcpnet.free.fr/milter-greylist greylisting package as well as spamassassin with some custom score tweaks available at http://iconia.com/user_prefs. all this keeps my mailbox as well as other users at a college radio station and a commercial asp with lots of public email addresses on their respective websites relatively spam free.
respectfully submitted,
geoff goodfellow -
Re:Not noticing the increase
Blacklists, my friend. Here's my current list:
rsync-mirrors.uceprotect.net : Level 2 - Fast local blocking
combined.njabl.org - For dynamic IPs and other
dnsbl.sorbs.net - For open relays
relays.ordb.org - For open relays
list.dsbl.orgM - Various types of Unsecured servers
dnsbl.tqmcube.com - dynamic IPs, spam trap
bl.spamcop.net - Spam trap
sbl-xbl.spamhaus.org - Known spammers, exploited servers
l2.spews.dnsbl.sorbs.net - Spam friendly ISPs
dnsbl.ahbl.org - Realtime composite
About four of those are composites, and contain blocks for dynamic IPs. Each link goes to the usage page for the blacklist, and if you want, you can just block dynamic IPs by using the correct subdomain. -
Running mail at home has its advantages...
"Running mail at home is a waste of my time. It can be done, but you get nothing but hassle out of it..."
After you set up your mail server (admittedly a bunch of upfront hassle) there is precious little maintenance to do. And I get lots of features I couldn't get otherwise:- Mail clients are filtered through my firewall: I blackhole bogons for example, and certain abusive networks.
- RBLs of my choice: There are good RBLs and bad RBLs. I like the ORDB list, DSBL list, the Spamhaus SBL and XBL lists, the SORBS DUL list, and the Spamcop blocking list.
- Greylisting: This is effective for eliminating the remaining spam that makes it through your SMTP-time filters.
- Challenge-response: Yeah, I know... love 'em or hate 'em. TMDA has been useful to me in the past, though I'm not sure I'm going to keep it much longer.
- One-time email addresses: If you maintain your own server and domain, then you can have as many email addresses as you want. Expire them on your schedule, or perform special processing for mail received at those addresses.
- Forget about artificial mail-size limits: My ISP's email accounts cut off attachments at something like 2MB. So much for that camping video my friend wanted to send me. My personal mail server is much more forgiving.
- Flexible and secure access: My mail clients use POP3 and IMAP inside the firewall, and IMAP via SSH port-forwarding from the outside.
-
Re:SMTP server at home?
That's called the Distributed Sender Blackhole List
ISP's who don't want their customers to be running their own E-mail servers can register their domain ranges to this list. Companies and individuals then look up each IP address in this list and reject the connection accordingly. -
Detect infection and shut down service
A quick way to handle the situation you describe is to detect the infection from outside and then shut down (or limit) service to the affected hosts. Sniffing network traffic to assess infections is the most accurate way, but here's another technique. Most viruses are involved with spamming in one way or another, and as such, infected hosts are detected out on the Internet.
What you should do is routinely grab (rsync) a full listing of blacklisted hosts from CBL, DSBL and elsewhere... and then use the grepcidr program to hunt for IP addresses from your network inside those huge lists.
This can be totally scripted. If you locate infected hosts, you can then revoke or cripple service to them one way or another. Examples of crippling would be to reduce available bandwidth (tarpit on a linux router), blocking all but the most essential outbound ports at the firewall. Or you could be more brutal and just revoke their IP connectivity. -
Re:Will it be better than milter-sender?SBL-XBL is great. It blocks a lot of stuff. In the last serveral months I added the follow which have also helped:
relays.ordb.org - http://www.ordb.org/
I also added ClamAV with the clamav-milter. That's eliminated all of the viruses that I used to get, although it does nothing for the virus warning messages I get from poorly administrated mail servers out there. Before I added ClamAV I was using the Virus Snaggers procmail package which was great at catching a lot of that stuff.
combined.njabl.org - http://www.njabl.org/
list.dsbl.org - http://dsbl.orgBTW, I use this procmail rule to catch all of the DSNs I get and stuff them in a mbox rather than having them clutter my inbox. I didn't write this and I forget who did. I think I got it from a post here on Slashdot sometime in the last year. To whoever wrote this, thanks.
# This recipe catches most DSNs
:0HB
* -1^0
* 1^0 ^FROM_MAILER
* 1^0 ^Status: 4.2.0
* 1^0 ^Status: 4.4.1
* 1^0 ^Status: 4.4.2
* 1^0 ^Status: 4.4.6
* 1^0 ^Status: 4.4.7
* 1^0 ^Status: 5.0.0
* 1^0 ^Status: 5.1.1
* 1^0 ^Status: 5.1.2
* 1^0 ^Status: 5.1.6
* 1^0 ^Status: 5.2.1
* 1^0 ^Status: 5.2.2
* 1^0 ^Status: 5.2.3
* 1^0 ^Status: 5.3.5
* 1^0 ^Status: 5.4.7
* 1^0 ^Status: 5.5.0
* 1^0 ^Status: 5.7.1
* 1^0 ^554 5.0.0 Service unavailable .*
* 1^0 ^Remote host said: 550.*User unknown
* 1^0 ^Remote host said: 554.*doesn't have a yahoo.com account.*
* 1^0 ^User.*not listed in public Name & Address Book
* 1^0 ^Sorry, no mailbox here by that name.
* 1^0 ^<.*>: Unkown user:
* 1^0 ^User mailbox exceeds allowed size:
* 1^0 ^.*No matches to nameserver query
* 1^0 ^A message that you sent could not be delivered
* 1^0 ^.*550 unknown user
* 1^0 ^This is a permanent error; I've given up.
* 1^0 ^The user(s) account is temporarily over quota.
* 1^0 ^Receiver not found:.*
* 1^0 ^Requested action not taken: mailbox unavailable.
* 1^0 ^--AOL Postmaster
* 1^0 ^I'm sorry to have to inform you that the message returned
* 1^0 ^550 5.1.1 <.*>... User unknown
* 1^0 ^550 <.*>\.\.\. User unknown
* 1^0 ^Subject:.*failure notice
* 1^0 ^did not reach the following recipient\(s\):
* 1^0 ^The following recipient(s) could not be reached:
* 1^0 ^.*550 Mailbox quota exceeded
* 1^0 ^.*550 Access Denied
* 1^0 ^550 5.0.0.*Can't create output
* 1^0 ^.*There is no such addressee as
* 1^0 ^Mail Delivery Failed... User unknown
daemon-msgs -
Re:WAR!Amen. I only use my HotMail account for things that I know I don't care about or will probably end up in the hands of the spammers, and because it's required to get into the IM system to chat with my less-savvy friends.
Otherwise, I run my own mail server with blacklists and SPAM filtering, further filtering with my mail client, leaving me very few junk mail messages to actually deal with. As far as I know, no false positives have been lost. The server ignores suspected servers, andthe spam filter throws away any high-scoring mail, leaving low-scoring spam for the mail client to handle, which gives me a chance to find mail I would want to keep (very, very, rare), tossing the rest in the trash can so I can peruse them.
I have a web mail client, too, so I can check in from anywhere I can't fire up my client or shell in.
Also, I don't worry about space. I'm casual (OK, lazy) about deleting mail, and after several years of not deleting what should probably be deleted I've only accumulated a couple hundred MB of crap. (Yes, it's sorted automatically into folders by sender or content.) That includes old "let's have lunch" announcements as well as mail with large attachements. The server's got another 50GB of space on it (slowly being eaten by web server and mail logs), so I'm not too worried about running out any time soon.
1 GB would suffice and give me another few years to fill up. Then I'd probably have to get rid of those lunch invites from 1998...
-
We already know, and admins already know
There are several projects out there that are detecting and blocking open relays (quite effective... I have used this and similar blocklists on my mail server). FTC wouldn't be doing anything groundbreaking, except more formally contacting the owners. Not that mail server admins don't notice when millions of sites start bouncing their mail because they're listed on such places as ordb and dsbl! After all, that is part of the effect of blocklists... puts pressure on people who run improper mail servers.
-
Re:why not?
The biggest threat to email isn't open relays or proxies. The biggest threat is every fucking ninny out there that just has to run their own mail server and then does so poorly. If I want to receive mail from most of these idiots, then my server has to be willing to accept email from completely broken servers. In the end, that means spammers get through where I should be able to block them.
That couldn't be further from the truth. I volunteer admin time on an anti-spam system.
The most horribly broken, horribly insecure systems on the internet (besides small businesses running MS exchange) are those of some of the larger ISPs. *especially* those of the residential broadband providers. Not only are their systems broken, they're so arrogant, and so dead-set in their ways that they refuse to accept it when someone points out an obvious security flaw in their network. -
Re:It seems sad on the surface, but I won't miss '
The ratio of "collateral damage" to actual spams stopped is way too high
Hear, Hear. Effective blacklists with no practical collatarate damage actually exist, even if all the attention seems to gather around the overzealous(SPEWS) and stupid(AOL) blocklists.
dsbl.org open proxy/relay list, easy to get out once you fix the problem. very effective.
spamhaus.org lists IP addressess known to belong to spammers. Not as effective as dsbl, but a nice compliment in case spammer decides to send mail directly instead of raping a relay.
with those two, 60-80% of spam will stop at gates, so you will still need a content based filter for the rest. -
The Heavy Hitters Are Still AroundSo, when will we see a distributed RBL that can stand up to distributed attacks?
I'd never even hear of the two sites that closed down. Personally, I use Spamcop's DNSBL, DSBL, and ORDB.
-Lucas
-
Re:who says its spammers?
He obviously has more knowledge of blacklisting than you have. Or give us an EXAMPLE of spews blacklisting an subnet that isn't on a spemmer friendly ISP. And lumping every blacklist from spews to dsbl.org and spamhaus.org isn't very wise either.
Even spews doesn't just blaclist entire A/B subnets at glance, unless they obviously belong to a spammer. They start with single IP:s, and ONLY IF the spammer doesn't get kicked out, the block is gradually enlargened.
It's not blind logic either. Standard whois queries are used to check what IP block belong together and who owns them. If your ISP owns an /16 subclass and doesn't bother setting rwhois up to make people able to distinguish between IP's owned be legitimate companies and IP's owned by spammers, how can a blacklister know what IP's of /16 black belong to the spammer?
And while boasting spamassassin, remember that it uses blacklists as well. However, using blacklists on SMTP level seems to be the only way bring attention for the spamming problem for the ISP harboring spammers.
Personally, I don't use spews, but:
dsbl open relay, open proxy lists.
spamhaus sblIp network ranges belonging to spammers.
0 collateral damage so far. Other high-quality blacklists include:
spamcop dynamic and automatic blacklist that lists IP addresses only WHILE they are spamming.
njabl probably the best list overall, listing all of them: spammers, proxies, relays, dialups.
Ofcourse, many insist not using their ISP's smtp servers so dialup ip blocking is risky, and spamcop.net relies on users repoting spam so a group of clueless people may reuslt a wrong IP blacklisted, so the above two blacklists don't suit everyone..
-
not all RBLs created equalList shopping? Choose by philosophy, methodology, and listing/de-listing policies. Here are the ones I use:
- Distributed Server Boycott List (list: list.dsbl.org)
- Open Relay Database list: relays.ordb.org
- Spamhaus Block List list: sbl.spamhaus.org
DSBL and ORDB list open relays. They have a clear (i.e. programmatically implementable) listing/de-listing process. Spamhaus actively investigates spam gangs. Their policy is not programmatically implementable, but it's pretty clear.
DSBL even has three flavors to choose from:
- list.dsbl.org "single-stage relays tested by trusted users"
- multihop.dsbl.org "the outputs of multihop relays, tested by trusted users"
- unconfirmed.dsbl.org "everything else, including tests done by anonymous users, people could potentially sign up their own ISP's mail server to this list"
I have a relatively small and spam-free system (only six domains, very few email addresses that are not publicly visible), so for the last 7529 emails (since I configured to use these RBLs) processed by Postfix the server has rejected:
- 103 via list.dsbl.org
- 1 via relays.ordb.org
- 8 via sbl.spamhaus.org
If you're griping about collateral damage, then don't choose a wanton list, and advise others not to use one. Just don't go maligning all RBLs like ignorami.
-
Re:Hurrah for blacklists
You're probably right, they will eventually want to charge money, and, IMHO, thier solution looks overly complicated and manipulable (spammers pay for "trusted" members to list them as "trusted").
It would be better if ISPs participated in services like the ORDB, SORBS and Monkeys that have simple network testable criteria for listing open relays. Spews, Spamhaus, and DSBL have reputable lists of usernames and addresses that send spam. If ISPs and admins would participate in projects like these, the spam problem would be greatly reduced. And it seems that these projects are mostly run by admins who are interested in blocking spam, not selling a service.
By the way, MAPS is currently free for individual use (look at the bottom of the page).
-
Summary of IETF ASRG discussionsFour days ago when this was mentioned on slashdot, I posted the following summary of what had been discussed. Sadly, this summary is still pretty complete.
From what I take from all this discussion is that the only "solution" to spam is to do the types of things that we have been doing for years, but to do more of it and quicker. Use well run DNS blacklists (Spamhaus SBL, ordb, dsbl, etc.), use good content filters (bayesian filters, etc.), use bulk mail detectors such as DCC or vipul's razor, etc.) and per-user whitelists and blacklists.
Or, combine all of the above techniques by using SpamAssassin
--
I've been subscribed to the list since near the beginning and have been following it fairly closely. Much of the discussion has been rehashes of old topics such as "what exactly is spam?", "make the sender pay something, either money or CPU", etc.
The most interesting discussions that I've seen so far are:
- Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later. This is completely backwards compatible and doesn't require end users to do anything.
Most spam specific programs will not queue and retry, and thus the spam will be dropped.
Spammers that use real mail transfer programs or open relays will need to be able to hold all their outgoing spam for a while, increasing the spammer's costs and slowing down the delivery of spam. Legitimate email will not be thrown out, it will only be delayed and only for the first time.
Of course, you don't really want the databases to remember every sender-recipient pair forever, nor do you want to remember pairs that were added by spam so this really isn't a "first time" database, but it is close.
Apparently the "canit" program already does this, but I had not heard of this technique before.
- Spam filtering really needs to be done while the email is being received. Sendmail can already do this with the milter filter, but other MTAs should also. Most mail servers are I/O bound, not CPU bound so this really isn't much of a burden on the server.
If you filter during the email receive process, you can make the sending MTA do the bounce. This means that you will not have to deal with spammers forging "from" and "reply-to" headers. You won't have to clean up bounces that never succeed, nor will you be responsible for bouncing spam to another victim that the spammer selected for the "from" or "reply-to" headers.
Also, false positives will recieve a bounce message instead of just disappearing. This reduces the danger of important email being lost.
- There are also several proposals to deal with ways of verifying that email being sent from a given IP address and claiming to be from a certain domain is actually authorized to send email claiming it is from that domain.
Right now, there are DNS records that tell you which IP addresses are valid to try and send email to for a given domain (the MX records), but many ISPs have different machines for sending and recieving email. There are currently no DNS records to tell you which tell you which IP addresses a domain will send email from.
The problem with this kind of proposal is that there are many people who think they have legitimate reasons to forge "from" or "reply-to" addresses. It also forces ISPs to make sure that every time they add a new outgoing mail server, they need to update the list of valid IP addresses. If they forget to do this, then only bleeding edge spam filters will detect a problem.
- Mail transfer programs (MTA) such as sendmail, exim, qmail, etc., should keep track of sender-recipient pairs. The first time the sender-recipient pair shows up, sendmail (or whatever) should issue a "temporary delivery failure". This will force the sending mail transfer program to queue the mail and resend it later. This is completely backwards compatible and doesn't require end users to do anything.
-
Re:but its usually from an open relay...you know, I contacted several MAPS type orgs to offer my built-in honeypot off of bad IPs and they refused to take them!
If those bad IPs are open relays or open proxies you can nominate them to the Distributed Server Boycott List by sending email through them.
-
Re:"Stations of the Cross" Relays attacking relay
We are also working on obtaining access to true "realtime" RBL lists of currently abused open relay servers. Assistance would be appreciated.
Zones from the DSBL Project are available via rsync (bottom of page) as well as http.
-
Re:"Stations of the Cross" Relays attacking relay
We are also working on obtaining access to true "realtime" RBL lists of currently abused open relay servers. Assistance would be appreciated.
Zones from the DSBL Project are available via rsync (bottom of page) as well as http.
-
Re:"Stations of the Cross" Relays attacking relay
We are also working on obtaining access to true "realtime" RBL lists of currently abused open relay servers. Assistance would be appreciated.
Zones from the DSBL Project are available via rsync (bottom of page) as well as http.
-
Dream on...
Any measure for stopping spam must ensure that all non-spam messages reach their intended recipients.
If that were true, ISPs would have absolutely no reason to kick their spammers and the admins of open relays and open proxies would have no reason to secure their systems to abuse.In short, nobody would slow down the spammers and our inboxes would be flooded by spam, even if the filters were 99% effective.
The only way to reduce the amount of spam you receive is by reducing the amount of spam being sent.
Personally I use the SBL and DSBL lists to block mail from known spammers, their supporters and open relays and open proxies.
Email is protected speech. There is a fundamental free speech right to be able to send and receive messages, regardless of medium.
Spammers have a right to free speech, but they have no right to free speech on my property. If they want to advertise, let them setup a website I can view when I want to. Free speech is about speech in public areas and is not relevant when it comes to private property. Free speech does not trump private property rights. If you think free speech does apply to private property, send me your address and I'll organise an industrial and hardrock concert in your garden.Having said that, I think it would be good if every user could choose for him/herself the filters used on his/her mailbox. If only because the users are likely to choose much more agressive filtering than ISPs could ever setup by default.
-
Re:"Interstate commerce"? What about international
I applaud the US judical system for approving and using such laws in America, but the whole world isn't the USA. We need a world-trade law, perhaps mandated by the WTO, to prevent spammers from breeding.
It's been a long day -- I read this and had a mental picture of a law that required all spammers to use condoms....
;)On a more serious note, international law isn't up to dealing with spam and spammers yet, and I don't think it will be any time soon. It can't even deal with terrorism and terrorists effectively.
:/Of course, there's always relays.osirusoft [osirusoft.com] - a cross-referenced database of nearly all DNS blacklists.
Osirusoft is an excellent resource, but it doesn't contain anything even close to all of the available anti-spam blacklists. MAPS is pretty irrelevant these days, but don't forget the DSBL , Five-Ten-Sg , Monkeys.com , RFC-Ignorant , and Wirehub , all of which are publicly queryable and none of which are mirrored by Osirusoft.
There are a whole bunch of other blacklists out there, as well. Not all are well maintained and not all have consistent policies about which IP ranges or domains get listed and how a domain can be removed, though, so I stick to the established ones.
-
Re:How?
What standard of hackproofing should every Mom & Pop on the internet have to meet, and why?
As far as I'm concerned, everybody has the right to decide exactly how secure they make their server.The flip-side of this liberty is that I have the full right to accept or deny any email I want and I have chosen to block email from open relays, so if Mom & Pop want to mail me, they'll have to make their server secure enough to meet my standards.
Btw, I'm using DSBL for my open relay and open proxy blocking...
-
Maybe they should get together with the orbz crew.A new public blackhole list. There's a thought.
Orbz seems to be over here now.